If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

need a little help

Ok normally i would try and do this on my own but everything keeps shutting down/crashing? to oftn to get any good results.

A roomate thinks there is a 'shell' being loaded on startup on my pc. My desktop icons regularly flash and refresh. Explorer wont stay open. House Call won't run. none of my av malware detectors stay open long enough to finish a scan.

Running xp pro sp2 fully updated

when i look at my system performance my cpu is always at 100% and my pagefile is over 500mb

my pagefile settings are max an min set at 256mb

also on startup there is something, not sure if bad or not just don't recognize, called geols31.exe running

i wish i could try and give more info but nothing wants to stay open or run as i said even in safe mode as admin.

if anyone can point me in the right direction to get more info for you guys please tell me what to do.

\"He who shall introduce into public affairs the principles of primitive Christianity will change the face of the world.\"
Benjamin Franklin

ok as soon as i posted this i actually got Ewidow to run a scan. This is what it says it was able to clean from backup. Not sure if the backups it used are corrupt or not so maybe this will help

All of these were found in C:\system volume information\_restore .. . . .

Backdoor.PPdoor.bc - found multiple times in that directory
Adware.Virtumonde - ditto
Downloader.CWS.cs - only one instance found
Trojane.iespy - only one found
Trojan.Agent.fd - again only one

The one listed below were found in my \windows\system32 directory
Adware.Virtumonde - again multiple times
Backdoor.PPdoor.al - only one found with the .al
Backdoor.PPdoor.bc - multiple found with the .bc

didn't realize i could export ewidow scan results as a text file doing so now

\"He who shall introduce into public affairs the principles of primitive Christianity will change the face of the world.\"
Benjamin Franklin

I would say you need to disable your system restore...How to Info then go back into safe mode and run your scans again, and clean them out, then reboot into normal, this should flush your old system restore points.

Most of these System Restore points are created by the user downloading and installing programs, so when a malware is downloaded via a browser highjack, it becomes part of the system restore point, and each time you do a boot up, they can be reactivated, or if you try to do a system restore to an earlier date.

Do a couple of online scans in Safe Mode with networking from Trend Micro and Panda...also you may want to get Stinger from McAfee...

PC Registered user # 2,336,789,457...

"When the water reaches the upper level, follow the rats."Claude Swanson

Your solution lies in buying a USB external enclosure for your hard drive.
Removing hard drive, set drive jumpers as Master, put drive in enclosure, plug USB enclosure into a known UNINFECTED system. You should be able to access the drive as another drive letter now, say as, D: or E:

Now run a checkdisk. If time permits, I would run a surface scan in conjunction with the checkdisk.

After all you've done all that. Take drive out, reinsert in computer and reboot to SafeMode by pressing F8 repeatedly (once a second) until you get a menu. Choose SafeMode with networking. Don't press the F5 key as that is NOT what I want.

While booting you will eventually see some graphic page (not the desktop yet), either saying "Loading SafeMode" or "Windows XP" or whatever. As long as you see some sort of graphic page (ANY graphic page), hold down the shift key until the desktop is fully loaded. Doing this prevents certain progams from autoloading on bootup.

While in SafeMode, are things working somewhat?

If so, shutdown normally and bootup to Standard mode, but again, press and hold the shift key until the desktop is fully loaded.

Is it working?

If so, get on the internet, download a program called "CodeStuff Starter". It's FREE and will allow you to uncheck those programs you don't want loading on startup. It's better than most of it's competitors.

[Edit: Since I posted this, some other posts intervened saying Remove your restore points. I can agree with that too.]

If you can't slave the drive to clean it for some reason, maybe look at BartPE (http://www.nu2.nu/pebuilder/). You can run windows based Anti Malware stuff from it. Just DL the creator and add the modules that you want. You can make your own modules quite easily for it. I believe it already has Adaware modules already (although you will need to update defs). Only downside to this is that you need a PC to burn the .iso on.

Originally posted here by brokencrow Sounds like you've been using Internet Explorer. That's how this stuff's gettin' in. FWIW.

You mean a poorly configured Internet Explorer. Firefox has also had more than its share of security vulnerabilities. There just aren't many working exploits because the user base is still smallish.

Run your browser under a different user account that only has read/write permissions to the cache folder and read permissions to the browser's home directory. If you need to save files, create a special folder that the user can only read/write to. Deny "Login over Network" for this user account under the Local Group Policy Settings.

Firefox has also had more than its share of security vulnerabilities. There just aren't many working exploits because the user base is still smallish.

All software has its vulnerabilities, including Firefox. It's the vulnerabilities it doesn't have, ActiveX and embedding, that make it much safer. Of course, you can download the ActiveX plug-in for Firefox, but I don't reco' it. And there's no doing away with Explorer's kernel status. Hack IE and you can get into the kernel. Hack Firefox and where are you?

I notice he still hasn't responded to this post to say how he's doing.

Well since he's running XP, if you havn't been able to do your scans yet, or don't have another computer as most of these suggestions require.

Reboot in safemode, through F8. Next I believe you can clear your restore points here, which is:
rich click my computer&gt;properties&gt;System Restore Tab. Turn off system restore on all drives (if you have more than 1 you often have to do it on each).

Next go to Start&gt;Run
type in MSCONFIG
go to the startup tab and disable anything that looks suspicious (if your unsure you can always come back and fix this, unlike hijackthis's run list)
Run a few of your utilities, reboot in normal mode, run them again.

This will allow you to atleast have some usability of your computer and you should be able to do your diagnostics.

Post a hijackthis scan if your unsure of what to disable, also if your unsure of any of the utilities starting up under MSCONFIG enter those as well.

(yes I know there's better utilites than MSCONFIG, but how often can you get to them without already having them or having an internet connection that actually RUNS)